#!/bin/bash -x

LOCAL_REGISTRY="AAAAAAAAAAAAAAAAAAAAAA"
your_unsigned_image="BBBBBBBBBBBBBBBBBBBBB"
your_signed_image="CCCCCCCCCCCCCCCCCCCC"

export kbs_namespace="trustee-operator-system"
export kbs_deploy="trustee-deployment"
export kbs_pod_ip_addr="$(kubectl get pods -n $kbs_namespace -o wide | \
  grep $kbs_deploy | \
  sed "s/^.* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\) .*$/\1/g"
)"
export kbs_resource_dir="/opt/confidential-containers/kbs/repository"

export pod_yaml=signing.yaml
export pod_name="nginx"
export pod_runtimeclass="kata-qemu-csv3"
export pod_container_image_unsigned="${your_unsigned_image}"
export pod_container_image_signed="${your_signed_image}"

export KBS_KEY_PATH="default/cosign-key/1"
export KBS_SEC_POLICY_PATH="default/security-policy/test"

export UNSIGNED_IMAGE="${your_unsigned_image}"
export SIGNED_IMAGE="${your_signed_image}"

export cosign_bin=$(pwd)/cosign-linux-amd64

if [ ! -e $cosign_bin ]; then
  wget https://github.com/sigstore/cosign/releases/download/v2.2.1/cosign-linux-amd64
  chmod +x cosign-linux-amd64
fi

pushd $HOME/workspace/CoCo/deployment/samples/

output_dir=$(pwd)/test-cosign-signing

if [ ! -d $output_dir ]; then
  mkdir -p $output_dir
fi

step=${1:-1}

# generate cosign key pair
if [ $step -eq 1 ]; then
  pushd $output_dir
  rm -rf cosign.key cosign.pub 
  # output: cosign.key, cosign.pub
  COSIGN_PASSWORD="just1testing2password3" \
    $cosign_bin generate-key-pair
  popd
fi

# build, push, signing the image
if [ $step -eq 2 ]; then
  dockerfile=Dockerfile.test-signing
  cp $dockerfile.in $dockerfile
  sed -i "s!MARK_UNSIGNED_IMAGE!${UNSIGNED_IMAGE}!g" \
    $dockerfile
  sudo docker build \
    -t ${SIGNED_IMAGE} \
    -f $dockerfile \
    .
  docker push ${SIGNED_IMAGE}
  $cosign_bin sign --key $output_dir/cosign.key ${SIGNED_IMAGE}
fi

# upload cosign pubkey and bind the signature policy to KBS
if [ $step -eq 3 ]; then
  kubectl exec deploy/$kbs_deploy -c kbs -n $kbs_namespace \
    -- mkdir -p "${kbs_resource_dir}/$(dirname "$KBS_KEY_PATH")"
  cat $output_dir/cosign.pub | \
    kubectl exec -i deploy/$kbs_deploy -c kbs -n $kbs_namespace \
    -- tee "${kbs_resource_dir}/${KBS_KEY_PATH}" > /dev/null
  cat > security-sig-policy.json <<EOF
{
    "default": [{"type": "sigstoreSigned"}],
    "transports": {
        "docker": {
            "$SIGNED_IMAGE": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "kbs:///$KBS_KEY_PATH"
                }
            ]
        }
    }
}
EOF
  kubectl exec deploy/$kbs_deploy -c kbs -n $kbs_namespace \
    -- mkdir -p "${kbs_resource_dir}/$(dirname $KBS_SEC_POLICY_PATH)"
  cat security-sig-policy.json | \
    kubectl exec -i deploy/$kbs_deploy -c kbs -n $kbs_namespace \
    -- tee "${kbs_resource_dir}/$KBS_SEC_POLICY_PATH"
fi

# generate pod yaml
if [ $step -eq 4 ]; then
  cp $pod_yaml.template $pod_yaml
  sed -i "s!MARK_POD_NAME!$pod_name!g" $pod_yaml
  sed -i "s!MARK_POD_RUNTIMECLASS!$pod_runtimeclass!g" $pod_yaml
  sed -i "s!MARK_KBS_SEC_POLICY_PATH!$KBS_SEC_POLICY_PATH!g" $pod_yaml
  sed -i "s!MARK_KBS_POD_IP_ADDR!$kbs_pod_ip_addr!g" $pod_yaml
  sed -i "s!MARK_POD_CONTAINER_IMAGE_SIGNED!$pod_container_image_signed!g" $pod_yaml
fi

# run pod
if [ $step -eq 5 ]; then
  kubectl apply -f $pod_yaml
fi

popd
